Hi,
I am using a Netgear WAC510 WAP with OpenWRT installed on it. The only problem is that VLANs don't work. You can configure them, but it doesn't talk to the other devices on the VLAN. Does someone have a similar issue?
The VLAN works when I plug a different AP in my switch port.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/wireless
Here is what I got:
root@OpenWrt:~# ubus call system board
{
"kernel": "5.10.176",
"hostname": "OpenWrt",
"system": "ARMv7 Processor rev 5 (v7l)",
"model": "Netgear WAC510",
"board_name": "netgear,wac510",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "22.03.5",
"revision": "r20134-5f15225c1e",
"target": "ipq40xx/generic",
"description": "OpenWrt 22.03.5 r20134-5f15225c1e"
}
}
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd74:aad6:44b6::/48'
config interface 'bridge'
option device 'br-lan.10'
option proto 'static'
option ipaddr '192.168.0.3'
option netmask '255.255.255.0'
option gateway '192.168.0.1'
config interface 'guests'
option device 'br-lan.20'
option proto 'static'
option gateway '192.168.175.1'
list ipaddr '192.168.175.2/24'
config device
option type 'bridge'
option name 'br-lan'
list ports 'eth0'
list ports 'eth1'
config bridge-vlan
option device 'br-lan'
option vlan '10'
list ports 'eth0:u*'
list ports 'eth1:u*'
config bridge-vlan
option device 'br-lan'
option vlan '20'
list ports 'eth0:t'
list ports 'eth1:t'
root@OpenWrt:~# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/soc/a000000.wifi'
option band '2g'
option htmode 'HT20'
option cell_density '0'
option channel 'auto'
config wifi-device 'radio1'
option type 'mac80211'
option path 'platform/soc/a800000.wifi'
option band '5g'
option htmode 'VHT80'
option cell_density '0'
option channel 'auto'
config wifi-iface 'wifinet0'
option device 'radio0'
option mode 'ap'
option encryption 'psk2'
option key ''
option ieee80211r '1'
option ft_over_ds '0'
option ft_psk_generate_local '1'
option network 'bridge'
option ssid ''
config wifi-iface 'wifinet2'
option device 'radio1'
option mode 'ap'
option encryption 'psk2'
option key ''
option ieee80211r '1'
option ft_over_ds '0'
option ft_psk_generate_local '1'
option network 'bridge'
option ssid ''
config wifi-iface 'wifinet3'
option device 'radio0'
option mode 'ap'
option encryption 'wpa2'
option auth_server '192.168.0.187'
option auth_secret ''
option network ''
option ieee80211r '1'
option ft_over_ds '0'
option ft_psk_generate_local '1'
option ssid ''
config wifi-iface 'wifinet4'
option device 'radio1'
option mode 'ap'
option encryption 'wpa2'
option auth_server '192.168.0.187'
option auth_secret ''
option ieee80211r '1'
option ft_over_ds '0'
option ft_psk_generate_local '1'
option network ''
option vlan_tagged_interface 'eth0.20'
option disabled '1'
option ssid ''
I'd recommend upgrading to 23.05.2.
You've used bridge-vlan syntax... that should work, but I'm curious if this is a proper DSA device (i.e. eth0 and eth1 on a switch), or if the ports are individually routed. If the former, the method you used is the required syntax. If the latter, you may want to use standard dotted notation.
Meanwhile, for the guests network, it is best practice to make the interface unmanaged.
config interface 'guests'
option device 'br-lan.20'
option proto 'none'
Your choice of a network name bridge is interesting... I'm not sure if that could cause any problems. Is that network functioning properly?
I would highly recommend removing 802.11r entirely, at least until you verify that everything else is working properly.
I'd recommend deleting everything here, unless you have a specific need for it:
very bad combination for ANY kind od VLAN operation
please upgrade to 23.05.2
i am using ipq40xx with latest OWRT exactly because of vlans
As NPeca75 already implied, 22.03.x for ipq40xx implies using the old and very buggy swconfig based switch drivers, which are bad enough on their own, but don't really work with bridge vlan filtering.
Upgrading to 23.05.x (with its new DSA based switch drivers for ipq40xx) really needs to be the first step before dabbling into VLANs and bridge VLAN filtering on ipq40xx.
I upgraded to 23.05.2, upgraded all the packages and it still isn't working. I created the VLAN 20 interface as a static address so that I could ping the router on that network.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
This is my output:
{
"kernel": "5.15.137",
"hostname": "OpenWrt",
"system": "ARMv7 Processor rev 5 (v7l)",
"model": "Netgear WAC510",
"board_name": "netgear,wac510",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.2",
"revision": "r23630-842932a63d",
"target": "ipq40xx/generic",
"description": "OpenWrt 23.05.2 r23630-842932a63d"
}
}
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd3c:d8eb:6a6b::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
list ports 'lan'
config interface 'wan'
option device 'wan'
option proto 'static'
option ipaddr '192.168.0.3'
option netmask '255.255.255.0'
option gateway '192.168.0.1'
list dns '1.1.1.1'
config bridge-vlan
option device 'br-lan'
option vlan '10'
list ports 'lan:u*'
config interface 'guests'
option proto 'dhcp'
option device 'br-lan.20'
config bridge-vlan
option device 'br-lan'
option vlan '20'
list ports 'eth0:t'
list ports 'lan:t'
root@OpenWrt:~# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/soc/a000000.wifi'
option channel '1'
option band '2g'
option htmode 'HT20'
option disabled '1'
config wifi-iface 'default_radio0'
option device 'radio0'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'none'
config wifi-device 'radio1'
option type 'mac80211'
option path 'platform/soc/a800000.wifi'
option channel '36'
option band '5g'
option htmode 'VHT80'
option disabled '1'
config wifi-iface 'default_radio1'
option device 'radio1'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'none'
root@OpenWrt:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
option start '100'
option limit '150'
option leasetime '12h'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option syn_flood '1'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'wan'
list network 'guests'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
DSA syntax tends to mirror the names of the physical ports on the device -- in this case, they appear to be named wan and lan.
So the ports in the bridge don't seem to match that. There are a few possible reasons for this (including not actually being part of a switch), but I think ti would make the most sense to do the following:
Wow, that did the trick!. I factory reset it and then added 'wan' to 'bridge-lan' and setup the VLAN bridge like in the previous config and now I can ping the router and I get an IP address on VLAN 20. Thanks for the help!
Great! Glad that did the trick!
If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! 